Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    All of us have heard about SpyEye, a malware family comprising information/data stealers like ZeuS/ZBOT. This malware is sometimes known as a “ZeuS killer,” as it stops ZeuS malware from running on affected systems, assuming that the latter is already present. This topic was discussed before in the blog post, “Keeping an Eye on the EYEBOT and a Possible Bot War.”

    We were able to further investigate a command-and-control (C&C) server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.

    This particular SpyEye C&C server is located in the Ukraine:

    IP address: {BLOCKED}.{BLOCKED}.159.29
    Org: Tavria Host Network
    ISP: PAN-SAM Ltd.
    ASN: AS196814

    We were able to access different Control Panel tabs on this SpyEye server and saw some interesting bits of information such as its number of bots and their locations:

    Click for larger view

    A statistical breakdown of the bots by OS, Internet Explorer version, and whether they run as administrators or not was also found:

    Click for larger view
    Click for larger view Click for larger view

    We also came across botnet configuration and stolen data details:

    Click for larger view Click for larger view
    Click for larger view

    After digging through all the data, we found that several credentials have been stolen. These credentials come from banks, social networking sites, and career/job-hunting sites. The server was not particularly secure. In fact, the bot herder who used this particular server left several open folders as well as readable configuration files. We also gathered 400MB of stolen data from this particular C&C server.

    After having infected users with SpyEye malware, the bot master is now pushing a new TDSS variant detected as TROJ_TDSS.VAD. This links SpyEye to one of the major families that we know to be part of the pay-per-install (PPI) business:

    Click for larger view

    We will continue to monitor this particular C&C server, as well as the Spyeye botnet as a whole. Further developments may be posted here at the Malware Blog.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice